The Microsoft 365 Apps admin center provides several cloud-based features to help you manage the Microsoft 365 Apps in your organization. Features such as Inventory, Security Update Status and Servicing Profiles deliver powerful insights about your Microsoft 365 apps, while helping to ensure they remain up-to-date and secure. If you are not familiar with the Microsoft 365 Apps admin center and the features mentioned above, take a few minutes to review the Roadmap to modern management for Microsoft 365 Apps. Additionally, check out the guided simulations for each of these features available here: Microsoft 365 Apps Management and Health Services.
In this blog post, we're going to take a closer look at how devices onboard to our inventory service within the Microsoft 365 Apps admin center. Successful onboarding is a prerequisite for reporting and update management. Once devices have completed onboarding, they will appear in inventory and their update compliance information will populate on the Security Update Status page. You will also have access to target these devices with a Servicing Profile to ensure they are on the correct update channel and receiving updates consistently with minimal effort.
Note: There are other features in the portal that operate independently from Inventory, Security Update Status and Servicing Profiles. We will not be covering these features in detail in this post but be aware that they do have their own requirements for device onboarding. For example, OneDrive Sync health requires you to setup a Tenant Association Key and Apps Health requires you to enable diagnostic data.
Unlike other management tools, device onboarding with inventory does not require you to deploy any additional software or settings to devices. Instead, devices onboard automatically through a process referred to as auto provisioning. The following flowchart describes this process in more detail:
Assuming all steps are successful, a device will typically appear in inventory within 60 seconds of an Office app being launched. In some cases, it may be necessary for an Office app to be launched more than once to initiate the onboarding sequence for the first time. This isn’t generally an issue in production, but it is worth noting for lab environments where testing is being done.
Note: After you have enabled inventory for your tenant, keep in mind that all data is being retrieved for the first time. The number of devices reporting in will increase with user activity. Expect to see a large increase in numbers over the first 24 hours, and then tapering down as time goes on. Enabling inventory prior to a weekend or holiday may impact initial onboarding time.
Step 1 - Enabling the inventory feature
The process for enabling inventory for your tenant is simple. If the feature has not been enabled, you will be presented with the Welcome page shown above. Once an admin clicks on Get started, the listed features will be provisioned for your tenant. This action only needs to be completed once.
Step 2 – Review the requirements for using inventory
Devices must meet a few basic requirements before the auto provisioning process can successfully complete onboarding. For the latest list of requirements, visit: Requirements for using inventory. Be sure that you have reviewed these items and taken the appropriate actions for your organization.
Step 3 – Monitor onboarding activity
You can monitor onboarding progress for your tenant by visiting the Inventory Insights page in the Microsoft 365 Apps admin center (shown below). As devices report in, the total under Data Insights will increase. Click on Show all devices to see a complete list of all devices that have onboarded.
From the detailed device list, you can apply sort and filter operations by clicking on the column headers. In the following example we have a filter applied to show devices that have checked in on or after Patch Tuesday. You also have the option to export these results to a CSV file. The export function will include records based on the applied filters. If no filters are applied, all records will be exported.
Below are some of the most common troubleshooting scenarios that we hear about regarding device onboarding with the inventory service, along with recommendations for remediation. Before you move on, always start by reviewing the requirements for using inventory. We find that in most cases devices fail the onboarding process simply because they do not meet the minimum requirements.
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\cloud\office\16.0\Common\officesvcmanager"
The return output should have your TenantAssociationKey. If the value is not present, try signing out of your Office apps, closing Office completely, starting Word, and then running the command again.
If the TenantAssociationKey is still not present, please open a support case or use the feedback button to let us know.
Q: What permissions do I need to enable inventory for my tenant?
A: For more information on supported security roles, visit: Overview of the Microsoft 365 Apps admin center > How to get to the admin center.
Q: What information is collected when enabling inventory?
A: For more information on what data is sent to Microsoft for the inventory feature, visit: Data sent to Microsoft for the inventory feature in the Microsoft 365 Apps admin center.
Q: How long is inventory kept?
A: By default, device records are kept in inventory for 30 days. This can be extended up to 180 days by navigating to Settings > Inventory clean up. Devices send a heartbeat to the inventory service once a day. If a heartbeat has not been received in the defined range, the record will be removed. If the device comes back online and sends a heartbeat, the device will be re-added to inventory.
Q: Why do I see personally owned devices in inventory?
A: Inventory and the other features in the Microsoft 365 Apps admin center are designed to give you a complete picture of the Office apps connected to your tenant, regardless of device management state and domain membership. If a user signs into Office with an Org ID from your tenant, you can expect to see them listed in inventory.
Q: What is the Tenant Association Key?
A: The Tenant Association Key (TAK) is a JSON web token generated for your tenant and is listed in the Microsoft 365 Apps admin center under Settings. The TAK can be decoded using a JSON debugger, and in doing so will output your tenant ID and a unique app ID. The TAK is used to associate devices with your tenant. During onboarding, the TAK is retrieved through the auto provisioning process and stored locally on the device. The TAK will remain on the device as long as the Office apps continue to send a heartbeat to the management service. If Office app use stops for 14 days or more, the TAK is automatically removed for security, but will be retrieved again the next time Office runs.
Q: What does “Generate new key” do?
A: The Generate new key function is an option in the Microsoft 365 Apps admin center. This option can be accessed by navigating to Settings > Tenant Association Key. By default, your tenant will already have a TAK and any devices that have onboarded with the inventory service will be associated with that value. If you believe that your TAK has been compromised (e.g.: suspicious devices showing in inventory) or have a need to generate a new key (e.g.: directed through a support case), selecting this option will generate a new value. It is important to understand that in doing so, all communication to existing devices will temporarily be lost until the new key has been associated with those devices. Take caution and plan accordingly.
We value your feedback! As you navigate the Microsoft 365 Apps admin center and work with these features, share your thoughts with us by clicking on the feedback button in the upper-right corner. Send us a smile, a frown, or share a suggestion. The feedback you submit goes directly to our engineering team.
Continue the conversation by joining us in the Microsoft 365 Tech Community! Whether you have product questions or just want to stay informed with the latest updates on new releases, tools, and blogs, Microsoft 365 Tech Community is your go-to resource to stay connected!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.